Common Privacy Weaknesses and Vulnerabilities in Software Applications

by   Pattaraporn Sangaroonsilp, et al.
University of Wollongong

In this digital era, our privacy is under constant threat as our personal data and traceable online/offline activities are frequently collected, processed and transferred by many software applications. Privacy attacks are often formed by exploiting vulnerabilities found in those software applications. The Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) systems are currently the main sources that software engineers rely on for understanding and preventing publicly disclosed software vulnerabilities. However, our study on all 922 weaknesses in the CWE and 156,537 vulnerabilities registered in the CVE to date has found a very small coverage of privacy-related vulnerabilities in both systems, only 4.45% in CWE and 0.1% in CVE. These also cover only a small number of areas of privacy threats that have been raised in existing privacy software engineering research, privacy regulations and frameworks, and industry sources. The actionable insights generated from our study led to the introduction of 11 new common privacy weaknesses to supplement the CWE system, making it become a source for both security and privacy vulnerabilities.


Panel: Humans and Technology for Inclusive Privacy and Security

Computer security and user privacy are critical issues and concerns in t...

A Survey of Privacy Infrastructures and Their Vulnerabilities

Over the last two decades, the scale and complexity of Anonymous network...

Measurements of the Most Significant Software Security Weaknesses

In this work, we provide a metric to calculate the most significant soft...

V2W-BERT: A Framework for Effective Hierarchical Multiclass Classification of Software Vulnerabilities

Weaknesses in computer systems such as faults, bugs and errors in the ar...

Discovering ePassport Vulnerabilities using Bisimilarity

We uncover privacy vulnerabilities in the ICAO 9303 standard implemented...

A Model-Driven-Engineering Approach for Detecting Privilege Escalation in IoT Systems

Software vulnerabilities in access control models can represent a seriou...

Please sign up or login with your details

Forgot password? Click here to reset